Revision: 1126
http://www.exim.org/viewvc/pcre2?view=rev&revision=1126
Author: ph10
Date: 2019-07-04 18:01:53 +0100 (Thu, 04 Jul 2019)
Log Message:
-----------
Check for integer overflow when computing lookbehind lengths. Fixes Clusterfuzz
issue 13656.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/ChangeLog 2019-07-04 17:01:53 UTC (rev 1126)
@@ -85,7 +85,10 @@
16. Give error if pcre2test -t, -T, -tm or -TM is given an argument of zero.
+17. Check for integer overflow when computing lookbehind lengths. Fixes
+Clusterfuzz issue 15636.
+
Version 10.33 16-April-2019
---------------------------
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/src/pcre2_compile.c 2019-07-04 17:01:53 UTC (rev 1126)
@@ -9269,8 +9269,26 @@
case META_MINMAX_QUERY:
if (pptr[1] == pptr[2])
{
- if (pptr[1] == 0) branchlength -= lastitemlength;
- else itemlength = (pptr[1] - 1) * lastitemlength;
+ switch(pptr[1])
+ {
+ case 0:
+ branchlength -= lastitemlength;
+ break;
+
+ case 1:
+ itemlength = 0;
+ break;
+
+ default: /* Check for integer overflow */
+ if (lastitemlength != 0 && /* Should not occur, but just in case */
+ INT_MAX/lastitemlength < pptr[1] - 1)
+ {
+ *errcodeptr = ERR87; /* Integer overflow; lookbehind too big */
+ return -1;
+ }
+ itemlength = (pptr[1] - 1) * lastitemlength;
+ break;
+ }
pptr += 2;
break;
}
@@ -9284,19 +9302,19 @@
return -1;
}
- /* Add the item length to the branchlength, and save it for use if the next
- thing is a quantifier. */
+ /* Add the item length to the branchlength, checking for integer overflow and
+ for the branch length exceeding the limit. */
- branchlength += itemlength;
- lastitemlength = itemlength;
-
- /* Ensure that the length does not overflow the limit. */
-
- if (branchlength > LOOKBEHIND_MAX)
+ if (INT_MAX - branchlength < (int)itemlength ||
+ (branchlength += itemlength) > LOOKBEHIND_MAX)
{
*errcodeptr = ERR87;
return -1;
}
+
+ /* Save this item length for use if the next item is a quantifier. */
+
+ lastitemlength = itemlength;
}
EXIT:
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/testdata/testinput2 2019-07-04 17:01:53 UTC (rev 1126)
@@ -5647,4 +5647,6 @@
/(?<=(?<=a)b)(?<!abcd)(?<=(?<=a)bcde)/I
+/( {32742} {42})(?<!\1{65481})/
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2019-07-03 17:15:37 UTC (rev 1125)
+++ code/trunk/testdata/testoutput2 2019-07-04 17:01:53 UTC (rev 1126)
@@ -17078,6 +17078,9 @@
May match empty string
Subject length lower bound = 0
+/( {32742} {42})(?<!\1{65481})/
+Failed: error 187 at offset 15: lookbehind assertion is too long
+
# End of testinput2
Error -70: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data
